From patchwork Sat Jun 10 06:57:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 691158 Delivered-To: patch@linaro.org Received: by 2002:a5d:4d8a:0:0:0:0:0 with SMTP id b10csp1172279wru; Fri, 9 Jun 2023 23:59:25 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5ONrS3dZ9hNWIxeXQdCkoq761Rc+mOS977bx7URYOjPyA0Vylcmie1L2Zf9JdegeqTPJim X-Received: by 2002:ad4:5f4d:0:b0:626:94f:6044 with SMTP id p13-20020ad45f4d000000b00626094f6044mr4437662qvg.2.1686380365378; Fri, 09 Jun 2023 23:59:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686380365; cv=none; d=google.com; s=arc-20160816; b=E4d66aPGpQoSYWtDuH7abyThsNCAxoyzcJw3eI/TiqVQ9sqH8AcNgqNqRIhUhLaMQ1 Gms9pj4wixwyuctWYtjZWTXs6NML/VZsshEO/JMdWj4iOLrFmRB71wGIuWtLXQES93YP oJHzD1FApNxiwWx7WneYU9Ig4dQ7xFtse9Aj/gFy8xRYmYJpiIGOciPMbeyWCX7IEeUW WawCVrwaaFysOcY9wbgfkx12NgLyZ5vwtFrrDhbU56BS/LyQTQzjACIIcmCr9D8AlfTs 7vLJgu6a66cC6I5H+3mFVpBQoTz96wZXn0f1xA6dF+8wF5lRtAZCtAw+4Twpr948CheB E46w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=3YQErN2mMwe56l3gwaDUqlH0/MYeSA9u5P1AKn0grXU=; b=DMNtN2pcybREhWI+75fhqagfVGpZ8+imU/HLfFXcpA+ZBxIElMJif+HZCl3txc0FPM as3lEBUV5ioEOMZ5bWDqJgNBGaDv4hlc2O24hhS3zCGnwV6r1JGkEN9xoBVtXOeqqSGo Gkug7lhhWFtuJxFAtlDtzGQdN5l4ACcmvK4ORHU9MEk/KRoz4FB5oGVsD34b6qSo3vaQ nu8JFGdvFHJuQKywDpE/qBEGBRUZfeW0dqXl7bzXRE9wc41k+V67gpTxcOMnhlND2/s8 e9TP+pv/B85xwUTHzupO5HZ4FR53ZRlxHmUgrm4/+B08VKhS/p0yaqDsdyUtqiXz5WKG jh/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id kd21-20020a056214401500b00623821414cesi3309510qvb.284.2023.06.09.23.59.25 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 09 Jun 2023 23:59:25 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q7sYm-0002uz-BU; Sat, 10 Jun 2023 02:58:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q7sYi-0002qh-Ew; Sat, 10 Jun 2023 02:58:48 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q7sYg-00063Y-Qf; Sat, 10 Jun 2023 02:58:48 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id BEDACBE2D; Sat, 10 Jun 2023 09:58:01 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 57995B29A; Sat, 10 Jun 2023 09:58:01 +0300 (MSK) Received: (nullmailer pid 1107532 invoked by uid 1000); Sat, 10 Jun 2023 06:57:58 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: Peter Maydell , qemu-trivial@nongnu.org, Michael Tokarev Subject: [PULL 13/16] linux-user: Return EINVAL for getgroups() with negative gidsetsize Date: Sat, 10 Jun 2023 09:57:51 +0300 Message-Id: <8fbf89a9669520ac09b3ae0013ff3eb34f8cab23.1686379708.git.mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell Coverity doesn't like the way we might end up calling getgroups() with a NULL grouplist pointer. This is fine for the special case of gidsetsize == 0, but we will also do it if the guest passes us a negative gidsetsize. (CID 1512465) Explicitly fail the negative gidsetsize with EINVAL, as the kernel does. This means we definitely only call the libc getgroups() with valid parameters. It also brings the getgroups() code in to line with the setgroups() code. Possibly Coverity may still complain about getgroups(0, NULL), but that would be a false positive. Signed-off-by: Peter Maydell Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- linux-user/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 94256cc262..f2cb101d83 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -11676,7 +11676,7 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1, g_autofree gid_t *grouplist = NULL; int i; - if (gidsetsize > NGROUPS_MAX) { + if (gidsetsize > NGROUPS_MAX || gidsetsize < 0) { return -TARGET_EINVAL; } if (gidsetsize > 0) { @@ -12012,7 +12012,7 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1, g_autofree gid_t *grouplist = NULL; int i; - if (gidsetsize > NGROUPS_MAX) { + if (gidsetsize > NGROUPS_MAX || gidsetsize < 0) { return -TARGET_EINVAL; } if (gidsetsize > 0) {